Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Bypass the IP NAT for VPN Users

Hi,

I have configured ip nat on Cisco 6153 switch and it is working fine. But I need to bypass the ip nat configuration for VPN users.

eg: 192.168.1.1 is NATed to a global IP address, the ip nat working fine but the same server I need to connect for the VPN users also.

38 REPLIES
Hall of Fame Super Blue

Re: Bypass the IP NAT for VPN Users

abdussamedpkpk wrote:

Hi,

I have configured ip nat on Cisco 6153 switch and it is working fine. But I need to bypass the ip nat configuration for VPN users.

eg: 192.168.1.1 is NATed to a global IP address, the ip nat working fine but the same server I need to connect for the VPN users also.

Abdu

You need to be specific in your access-list that defines the NAT eg.

access-list 101 permit ip any any

ip nat inside source list 101 interface vlan10 overload

the above would translate all traffic coming in on an interface with "ip nat inside" to the vlan10 interface address. If you wanted to exclude for example 192.168.1.1 if it was going to a particular subnet ie. your VPN users -

access-list 101 deny ip host 192.168.1.1 192.168.10.0 0.0.0.255  <--- 192.168.10.0/24 is your VPN user subnet

access-list 101 permit ip any any

ip nat inside source list 101 interface vlan10 overload

so basically you need to "deny" the traffic you do not want to be natted before you do any permits.

Jon

Community Member

Re: Bypass the IP NAT for VPN Users

Thanks for the reply. Actually I need to connect the server for both VPN and Public. Is it possible or not?

Hall of Fame Super Blue

Re: Bypass the IP NAT for VPN Users

abdussamedpkpk wrote:

Thanks for the reply. Actually I need to connect the server for both VPN and Public. Is it possible or not?

So it's a static NAT you are trying to do this for ? If so you can use route-maps with static translations -

Static NAT with route-maps

Unfortunately i don't believe it is supported on the 6500 but don't have a 6500 to test with so it may be worth trying.

Jon

Community Member

Re: Bypass the IP NAT for VPN Users

It didn't work. Thanks Mr.John

Bronze

Re: Bypass the IP NAT for VPN Users

Dear Samad ,

I think that this issue is common with static NAT .

always when there is one to one NAT it will take the preference . One option is let the remote users connect to this server using public IP only and another option is do route-map for static NAT , in that u will deny the local traffic from NAT and NAT everything else

Could you please post your config .

Regards

Haris P

Community Member

Re: Bypass the IP NAT for VPN Users

Please see the below configuration for ip nat.

ip nat inside source static tcp 172.168.20.1 829 200.200.20.20 829

Community Member

Re: Bypass the IP NAT for VPN Users

Hi Adbu,

We faced the similar problem.

What we did is to use route-map as a condition in NAT statement.

Here is what we did :

your server : 10.10.1.1

VPN tunnel other end server : 192.168.1.1

so you dont want to NAT when 10.10.1.1 communicated with 192.168.1.1

access-list 101 deny ip host 10.10.1.1 host 192.168.1.1

access-list 101 permit ip any any

accedss-list 102 permit ip host 10.10.1.1 host 192.168.1.1

route-map internet

match ip address 101

ip nat inside source static 10.10.1.1 Public_IP_Address route-map internet

This will NAT the traffic as per access-list 101. Which denies traffic destined to 192.168.1.1 from 10.10.1.1.

Use access-list 102 for crypto map to denifne the traffic that is to be encrypted.

It worked on 1841..

hope it works for you also

rate if it helps.

Thanks

Subodh

Community Member

Re: Bypass the IP NAT for VPN Users

Hi,

Thanks for the detailed support. I think I have the lower version to support the ip nat inside source static 10.10.1.1 Public_IP_Address route-map command. My IOS version is 12.2(18)SXF14. Does this version support this command? Please advice me.

Thanx

Abdu

Community Member

Re: Bypass the IP NAT for VPN Users

Hi, Subodh

Sorry for the late reply. I want to know, How or where do you applied both 101 and 102 access-list to the interface. In my case both vpn and internet traffic is terminating on the same interface.

Bronze

Re: Bypass the IP NAT for VPN Users

access-list 101 is for nat only and access-list 102 for permitting vpn traffic

you don't need to apply this ACL on interface

and another thing your IOS will support this commands

Regards

Haris P

Community Member

Re: Bypass the IP NAT for VPN Users

The access-list is supported, I ment the route-map for ip nat is not supported on 12.2 version. I tried this scenario but it doesen't work. Thats why I doubted that it has to apply to an interface.

Thanks&Regards,

Abdussamad

Community Member

Re: Bypass the IP NAT for VPN Users

I meant the that the route-map with static ip nat is not supported with IOS 12.2. I tried this scenario but it doesn't work. That's why I doubted that it has to apply to an Interface.

Thanks&Regards,

Abdussamad

Cisco Employee

Re: Bypass the IP NAT for VPN Users

Hi Abdu,


You can try use route-map bypass NAT.


1,Create a dummy interface and set a un-routeable ip and not used in your network like

interface lo100

ip add 172.16.1.1 255.255.255.0

2, create a route-map

route-map PBR

match ip address PBR

set ip next-hop 172.16.1.2

ip access ex PBR

per ip host 192.168.1.1 vpn_subnet

3, apply the PBR on NAT inside interface

int x/x

ip policy route-map PBR

HTH,

Lei Tian

Community Member

Re: Bypass the IP NAT for VPN Users

could you please elaborate it, like what is the ip in 192.X.X.X subnet

Cisco Employee

Re: Bypass the IP NAT for VPN Users

Hi Abdu,

I am not sure what subnet you are using for your VPN user. For example if the vpn user subnet is 192.168.10.0/24, then the ACL will be

ip access ex PBR

per ip host 192.168.1.1 192.168.10.0 0.0.0.255

Basically, just redirect the traffic between server 192.168.1.1 and vpn user to an interface doesnt have "ip nat outside". So it an bypass NAT for VPN users.

HTH,

Lei Tian

Community Member

Re: Bypass the IP NAT for VPN Users

It is blocking all other traffic to internet after applying the route-map to the interface. It didn't work, Thank you.

Cisco Employee

Re: Bypass the IP NAT for VPN Users

Hi Abdu,

What does your acl PBR look like? The PBR should only match traffic from server to vpn user subnet, other traffic should route and NAT as it was before.

thanks,

Lei Tian

Community Member

Re: Bypass the IP NAT for VPN Users

My VPN clients are getting ip range of 10.1.1.0/24 from the pool.

The server which have to bypass the NAT is 10.10.10.10, I have configured the PBR ACL as permit per ip 10.10.10.10(Server IP) 10.1.1.0 0.0.0.255.

Other ACL is same as before. It is passing through FWSM module. VLAN is communicating between FWSM and Switch and this VLAN is having ip nat inside command.

The same server (10.10.10.10)  is NATed and is accessible for Internet users but it is not reachable for VPN users. This NATing is to be bypassed for VPN users. Do you have idea about 'crypto ipsec nat-transparency udp-encapsulation' command? Did this command suitable for this situation?

Cisco Employee

Re: Bypass the IP NAT for VPN Users

Hi Abdu,

You said after you apply the PBR, it blocked all internet user access the server, was the VPN user working at that time?

Do you have any rule to block traffic source from 10.10.10.10 going out on your other ACL or FWSM?

NAT Transparency is the feature to allow encrypted traffic be natted without problem; if I understand correctly it should not help on your situation.

thanks
Lei Tian

Community Member

Re: Bypass the IP NAT for VPN Users

To be frank I didn't check the VPN traffic after the ACL was blocking our services.Yes, There is some rules on the FWSM for the server but we have opened specific port for Public and VPN users.

Thanks

Samad

Community Member

Re: Bypass the IP NAT for VPN Users

Please see the below mentioned sample configuration


firewall vlan-group 1  100,110,200,250,251,300,620,630,700
ip subnet-zero
no ip source-route

!
vlan 110
name FWSM
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 7200
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn-client
key 6 OQSPhFQ`iT_XbddbPA^E^dKN`Q^PGV\UaUdHAAB
dns 10.10.10.100
pool remote-vpn-clients
acl VPN_ACL
!
!
crypto ipsec transform-set vpn-client esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto dynamic-map vpn-client 100
set transform-set vpn-client
reverse-route
!
!
crypto map test local-address Loopback1
crypto map test client authentication list authen
crypto map test isakmp authorization list author
crypto map test client configuration address respond
crypto map test 10 ipsec-isakmp dynamic vpn-client
!
!
!interface Loopback1
ip address 20.20.20.20 255.255.255.248
!


!
!
interface Vlan100
description TO_ISP_LEASED_LINE
ip address 172.43.32.98 255.255.255.252
ip nat outside
no mop enabled
crypto map test
crypto engine subslot 11/0
!
!
interface Vlan110
description FWSM-to-SUP communication
ip address 192.16.16.2 255.255.255.224
ip nat inside
standby 110 ip 192.16.16.1
standby 110 priority 110
standby 110 preempt
!


ip local pool remote-vpn-clients 10.1.1.1 10.1.1.254

no ip nat service skinny tcp port 2000

no ip nat service H225

ip nat inside source static tcp 10.10.10.88 389 195.14.19.17 389 extendable
ip nat inside source static tcp 10.10.10.10 829 195.14.19.21 829 extendable no-alias
ip classless

!
ip access-list extended VPN_ACL

permit tcp host 10.10.10.10 10.1.1.0 0.0.0.255 eq 829
permit tcp host 10.10.10.88 10.1.1.0 0.0.0.255 eq 389


permit ip any any
!
!

NOW I HAVE FWSM CONFIGURATION OTHER THAN THIS

Cisco Employee

Re: Bypass the IP NAT for VPN Users

Hi,

I am still trying to understand how could the PBR  blocking all other traffic to internet.

So you create a route-map, only match the traffic from host 10.10.10.10 to 10.1.1.0/24, and set the next-hop to another interface; then you apply the route-map under vlan 110.

After you did that, the internet stop working?

Thanks,

Lei Tian

Community Member

Re: Bypass the IP NAT for VPN Users

Actually it is not internet.I am sorry if I confused you. The server is not accessible for the public users which is comming through Internet. ie, our services got down. Please see the configuration I made.

interface loopback 2
ip address 172.16.1.1

route-map PBR
match ip address PBR
set ip next-hope 172.16.1.2

ip access-list extended PBR
permit ip host 10.10.10.10 10.1.1.0

interface vlan 110
ip policy route-map PBR

ip nat inside

is it correct?

Cisco Employee

Re: Bypass the IP NAT for VPN Users

Hi Abdu,

That is correct. So after you did the change, public users coming from vlan110 cannot access 195.14.19.21 anymore?

thanks,

Lei Tian

Community Member

Re: Bypass the IP NAT for VPN Users

Hi, It is strange that after applying the configuration again, there is no problem with the normal traffic. It is passing through, I don't know what was the problem , but still the server is not accessible for the VPN users. I can ping the server but when try to reach the port 829 only is the problem.This port is NATed for the public actually.

Thanks,

Abdussamad

Cisco Employee

Re: Bypass the IP NAT for VPN Users

Hi Abdussamad,

So after you apply the configuration, the VPN user can ping 10.10.10.10 without problem, correct? But the the tcp port 829 doesnt work?

Can you turn on debug ip policy dynamic on the switch, and initial tcp connection from VPN client to server 10.10.10.10 829. I want see if that triggers the PBR.

thanks,


Lei Tian

Community Member

Re: Bypass the IP NAT for VPN Users

Yes, Exactly. Please see the attached file for debug information

Cisco Employee

Re: Bypass the IP NAT for VPN Users

Hi,

Can you confirm the ACL PBR is configured like

ip access-list extended PBR
permit ip host 10.10.10.10 10.1.1.0 0.0.0.255

thanks

Lei Tian

Community Member

Re: Bypass the IP NAT for VPN Users

Yes, it is configured like mentioned below

ip access-list extended PBR

20 permit tcp host 10.10.10.10 10.1.1.0 0.0.0.255 eq 829

3710
Views
0
Helpful
38
Replies
CreatePlease to create content